Infrastructure Security at Network Level in Cloud Computing

Pre-requisite: Cloud Computing

Infrastructure Security deals with the threats, risks, and challenges that are associated with the security of the organization’s IT infrastructure such as the host, network, and application levels, this approach is commonly used by security practitioners whereas Non-IT security associates are advised not to equate the infrastructure security with access management’s infrastructure as service security(IaaS). Besides that infrastructure security is more related to customers, as they have ramifications with threat, risk, and compliance management.

Infrastructure Security at the Network Level

There are no new attacks, vulnerabilities, or changes that need to be considered in this specific topology by the information security personnel, beside that our organization’s IT infrastructure might be affected by the implementation of a private cloud but our current network topology probably will not get affected. whereas if we used the services of public clouds any changes in the security requirements will require a change in the network topology. Therefore, we must define some ways through which our existing network topology will interact with the topology of the cloud provider.

Risk Factors Needed to be Addressed are:

1. Integrity and Confidentiality of the In-Transit Data: The resources and data that were previously confined within the private networks are now exposed to the internet which is a shared public network that belongs to a third-party cloud provider.

2. Access Control Methods: As a subset of the resources is now exposed to the internet, an organization using services of the public cloud can result in an increase in risk to its data, The ability to audit the operations of our cloud provider’s network even after the fact which is non-existent can be considered as a threat to the network.

3. Availability of the Services: Accessible from Internet Resources: Dependency on the security of networks has increased because now an enormous amount of organizations’ personnel or users depend on externally hosted devices to ensure the availability of services provided by the cloud. Border gateway protocol Prefix Hijacking involves the announcement of an autonomous(connected group of one or more IP prefixes that are run by one or more network operators having a single routing policy) system address space that belongs to another person without his/her permission. Such mistakes often occur due to misconfigurations which can affect the availability of our cloud-based resources.

For example:- In Feb 2008 Pakistan telecom declare a dummy route for youtube to its own telecommunication partner. The intention was to block youtube within the country but the result was that the services of Youtube are globally affected for 2 Hours.

Apart from misconfiguration, there are deliberate attacks as well which can block access to the data.

4. Replace the Models Established in Network Zones and tiers within the Domains: The isolation model of network zones and tiers no longer exists in public infrastructure a service and platform-as-a-service clouds. For years network security has relied on zones, to segregate network traffic. This model was based on an exclusion that only individuals and systems in specific roles have access to specific zones. Similarly, systems within a specific tier often have access across a specific tier.

For example:- systems within a presentation tier are not allowed to communicate directly with systems in the database tier, but can communicate only with an authorized system within the application zone.

In the established model of network zones and tiers, development systems are logically separated from the production systems at the network level, but these two groups of systems are also physically separated at the host level. However, this separation no longer exists. The cloud computing model of separation by domains provides logical separation for addressing purposes only.